@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Improve utilization of "AuthTemporaryToken" table keys in LFS authentication queries
Summary:
See PHI1123. The key on this table is `<resource, type, code>` but we currently query for only `<type, code>`. This can't use the key.
Constrain the query to the resource we expect (the repository) so it can use the key.
Test Plan: Pushed files using LFS. See PHI1123 for more, likely.
Reviewers: amckinley
Reviewed By: amckinley
Differential Revision: https://secure.phabricator.com/D20261
+28
-4
+28
-4
src/applications/diffusion/controller/DiffusionServeController.php
+28
-4
src/applications/diffusion/controller/DiffusionServeController.php
···
192
192
// Try Git LFS auth first since we can usually reject it without doing
193
193
// any queries, since the username won't match the one we expect or the
194
194
// request won't be LFS.
195
-
$viewer = $this->authenticateGitLFSUser($username, $password);
195
+
$viewer = $this->authenticateGitLFSUser(
196
+
$username,
197
+
$password,
198
+
$identifier);
196
199
197
200
// If that failed, try normal auth. Note that we can use normal auth on
198
201
// LFS requests, so this isn't strictly an alternative to LFS auth.
···
655
658
656
659
private function authenticateGitLFSUser(
657
660
$username,
658
-
PhutilOpaqueEnvelope $password) {
661
+
PhutilOpaqueEnvelope $password,
662
+
$identifier) {
659
663
660
664
// Never accept these credentials for requests which aren't LFS requests.
661
665
if (!$this->getIsGitLFSRequest()) {
···
668
672
return null;
669
673
}
670
674
675
+
// See PHI1123. We need to be able to constrain the token query with
676
+
// "withTokenResources(...)" to take advantage of the key on the table.
677
+
// In this case, the repository PHID is the "resource" we're after.
678
+
679
+
// In normal workflows, we figure out the viewer first, then use the
680
+
// viewer to load the repository, but that won't work here. Load the
681
+
// repository as the omnipotent viewer, then use the repository PHID to
682
+
// look for a token.
683
+
684
+
$omnipotent_viewer = PhabricatorUser::getOmnipotentUser();
685
+
686
+
$repository = id(new PhabricatorRepositoryQuery())
687
+
->setViewer($omnipotent_viewer)
688
+
->withIdentifiers(array($identifier))
689
+
->executeOne();
690
+
if (!$repository) {
691
+
return null;
692
+
}
693
+
671
694
$lfs_pass = $password->openEnvelope();
672
695
$lfs_hash = PhabricatorHash::weakDigest($lfs_pass);
673
696
674
697
$token = id(new PhabricatorAuthTemporaryTokenQuery())
675
-
->setViewer(PhabricatorUser::getOmnipotentUser())
698
+
->setViewer($omnipotent_viewer)
699
+
->withTokenResources(array($repository->getPHID()))
676
700
->withTokenTypes(array(DiffusionGitLFSTemporaryTokenType::TOKENTYPE))
677
701
->withTokenCodes(array($lfs_hash))
678
702
->withExpired(false)
···
682
706
}
683
707
684
708
$user = id(new PhabricatorPeopleQuery())
685
-
->setViewer(PhabricatorUser::getOmnipotentUser())
709
+
->setViewer($omnipotent_viewer)
686
710
->withPHIDs(array($token->getUserPHID()))
687
711
->executeOne();
688
712